Skip to content
TrekTastes
For vendors Get the app EN NL

Vendor Privacy Policy

Version 1.0 · Last updated: 2026-07-03

On this page

  1. 1. Who we are
  2. 2. What data we process
  3. 3. Why we process it (purposes and legal bases)
  4. 4. Who receives your data
  5. 5. International transfers
  6. 6. How long we keep your data
  7. 7. Your rights
  8. 8. Security
  9. 9. Changes to this policy

This policy explains how TrekTastes handles the personal data of Vendor Platform users, in compliance with the GDPR and the Dutch AVG. Data-processing roles for customer order data are set out in the separate Data Processing Agreement; customers are covered by the Customer Privacy Policy.

The “In short” notes are plain-language summaries for readability only — the full policy text below each summary is what applies.

1. Who we are

In short: Arkstasis (trading as TrekTastes), a sole proprietorship in Amsterdam, KvK 42057592, is the controller for vendor-account data. Contact: privacy@trektastes.com.

Arkstasis (eenmanszaak), Amsterdam, the Netherlands, KvK no. 42057592, operating the TrekTastes platform, is the controller for the personal data of Vendor Platform users described in this policy. Contact: privacy@trektastes.com.

2. What data we process

In short: Your business and identity details, your Stripe account identifier and verification status (Stripe holds the KYC/banking data itself), your operational data (menus, orders, payouts), and technical data for security — all on our own EU infrastructure.
  • Business and identity data: business name, VAT number, your name and role, contact details and address. For sole traders, much of this is personal data.
  • Stripe onboarding status: Stripe collects your KYC and banking data directly under your own Stripe agreement (Stripe is an independent controller for that). We store your Stripe account identifier and verification status flags.
  • Operational data: menus, prices, order history, payout summaries and event participation.
  • Technical data: device information, IP address and app usage, for security and service improvement — processed on our own self-hosted EU infrastructure. No crash reports or usage analytics are sent to any third party today; if we introduce them, we will update this policy first.

3. Why we process it (purposes and legal bases)

In short: To run your account (contract), meet DAC7 and fiscal duties (legal obligation), keep the platform secure and handle disputes (legitimate interest), and — only with consent — send vendor news.

We process your data on the following legal bases under GDPR art. 6:

  • Operating your vendor account, listings and order queue — contract (art. 6(1)(b)).
  • DAC7 seller reporting to the Belastingdienst and fiscal record-keeping — legal obligation (art. 6(1)(c)).
  • Fraud prevention, platform security, dispute and chargeback handling, and food-safety incident handling — legitimate interests (art. 6(1)(f)).
  • Product news and marketing to vendors — consent, or soft opt-in where permitted.

4. Who receives your data

In short: Stripe (payments), our hosting and encrypted-backup providers, the Expo push relay (transport only), the Dutch tax authority (DAC7), event organisers (limited event data), and authorities where required. We never sell your data.
  • Stripe — payments; an independent controller for the KYC data you provide under your own Stripe agreement.
  • Our hosting provider — the infrastructure on which our self-hosted platform runs.
  • An off-site backup provider — receives only AES-256/GPG-encrypted artifacts.
  • The Expo push-notification relay — transport only; notification payloads carry no message content.
  • The Belastingdienst — the annual DAC7 report.
  • Event organisers — the limited listing and participation data needed to run their event.
  • Authorities — where we are legally required.

We do not sell your data.

5. International transfers

In short: Almost everything stays on our EU server. The only data leaving the EU is push-notification transport (Expo, US) and encrypted-only backups — under adequacy decisions or Standard Contractual Clauses.

The only cross-border flows today are the Expo push relay (United States — transport only) and off-site backups to an external provider, which receive only AES-256/GPG-encrypted artifacts. For these we rely on an adequacy decision (e.g. the EU–US Data Privacy Framework for certified providers) or the European Commission's Standard Contractual Clauses. Everything else runs on our own self-hosted EU server.

6. How long we keep your data

In short: Account and listing data while your account exists; financial and DAC7 records for 10 years (Dutch fiscal rules); everything else only as long as needed. You can request deletion, subject to legal retention.

We keep account and listing data for the duration of your account. Financial and DAC7-relevant records are retained for 10 years in line with Dutch fiscal retention obligations. Other categories are kept only as long as needed for the purpose they were collected for. You may request deletion at any time; statutory retention obligations may prevent full immediate deletion.

7. Your rights

In short: Access, correct, delete, restrict, port or object, and withdraw consent — via privacy@trektastes.com. You can also complain to the Dutch DPA.

Under GDPR you have the right to access, rectify, erase, restrict, port and object to the processing of your data, and to withdraw any consent at any time. To exercise your rights, contact privacy@trektastes.com. You may also lodge a complaint with the Dutch DPA, the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).

8. Security

In short: Encryption in transit and at rest, restricted database roles, audit logging and encrypted backups. Keep your credentials safe and report any suspected access.

We protect your data with encryption in transit and at rest for archived records, database role stratification (runtime roles cannot read credential or KYC columns), audit logging and encrypted off-site backups, per the technical and organisational measures in the Data Processing Agreement. You must keep your credentials confidential and tell us about any suspected unauthorised access.

9. Changes to this policy

In short: We'll flag material changes before they take effect and keep previous versions available on request.

We will announce material changes before they take effect and keep previous versions available on request.

Data Controller: Arkstasis (eenmanszaak) — Amsterdam, the Netherlands · KvK 42057592 — operating the TrekTastes platform

Privacy enquiries: privacy@trektastes.com

Food festivals & street markets in Amsterdam.

Download on the App Store GET IT ON Google Play

TrekTastes

For vendors Privacy Terms

Support

support@trektastes.com
© 2026 TrekTastes Made in Amsterdam